Class DoSFilter

@ManagedObject(value="limits exposure to abuse from request flooding, whether malicious, or as a result of a misconfigured client")
public class DoSFilter
extends Object
implements Filter

Denial of Service filter

This filter is useful for limiting
exposure to abuse from request flooding, whether malicious, or as a result of
a misconfigured client.

The filter keeps track of the number of requests from a connection per
second. If a limit is exceeded, the request is either rejected, delayed, or
throttled.

When a request is throttled, it is placed in a priority queue. Priority is
given first to authenticated users and users with an HttpSession, then
connections which can be identified by their IP addresses. Connections with
no way to identify them are given lowest priority.

the maximum number of requests from a connection per
second. Requests in excess of this are first delayed,
then throttled.

delayMs

is the delay given to all requests over the rate limit,
before they are considered at all. -1 means just reject request,
0 means no delay, otherwise it is the delay.

maxWaitMs

how long to blocking wait for the throttle semaphore.

throttledRequests

is the number of requests over the rate limit able to be
considered at once.

throttleMs

how long to async wait for semaphore.

maxRequestMs

how long to allow this request to run.

maxIdleTrackerMs

how long to keep track of request rates for a connection,
before deciding that the user has gone away, and discarding it

insertHeaders

if true , insert the DoSFilter headers into the response. Defaults to true.

trackSessions

if true, usage rate is tracked by session if a session exists. Defaults to true.

remotePort

if true and session tracking is not used, then rate is tracked by IP+port (effectively connection). Defaults to false.

ipWhitelist

a comma-separated list of IP addresses that will not be rate limited

managedAttr

if set to true, then this servlet is set as a ServletContext attribute with the
filter name as the attribute name. This allows context external mechanism (eg JMX via ContextHandler.MANAGED_ATTRIBUTES) to
manage the configuration of the filter.

tooManyCode

The status code to send if there are too many requests. By default is 429 (too many requests), but 503 (Unavailable) is
another option

getMaxPriority

getRateTracker

Return a request rate tracker associated with this connection; keeps
track of this connection's request rate. If this is not the first request
from this connection, return the existing object with the stored stats.
If it is the first request, then create a new request tracker.

Assumes that each connection has an identifying characteristic, and goes
through them in order, taking the first that matches: user id (logged
in), session id, client IP address. Unidentifiable connections are lumped
into one.